لطفا منتظر باشید ...
Hack 37 Keep Your Network Self-Contained
Use egress filtering to mitigate attacks and
information leaks coming from your network.
You''re
probably familiar with the concept
of firewalling as it applies to blocking traffic coming into your
network. Have you considered the
benefits of filtering traffic that leaves your network? For instance, what would happen if someone
compromised a host on your network and used it as a platform to
attack other networks? What if a
worm somehow made it onto your network and tried to infect hosts
across the Internet? At the very
least, you would probably receive some angry phone calls and
emails. Luckily, filtering your
outbound trafficotherwise known as egress
filteringcan help to contain such malicious
behavior. Egress filtering can not
only protect others from attacks originating from your network, but
can also be used to enforce network usage policies and make sure
information doesn''t leak out of your network onto
the wider Internet. In many
situations, egress filtering is just as important as filtering
inbound traffic.
The general guideline when crafting egress-filtering rules is the
same as when constructing any inbound-filtering ruledevices
should only be allowed to do what they were meant to do. That is, a mail server should only be allowed
to serve and relay mail, a web server should only be allowed to serve
web content, a DNS server should only service DNS requests, and so
on. By ensuring that this policy is
implemented, you can better contain the threats mentioned earlier.
It may also be a good idea to force users to use internal services
rather than Internet services wherever possible. For example, if you are using your own DNS
servers, clients shouldn''t be able to connect to
external DNS servers to resolve hostnames.
If a client is allowed to do this, you risk the chance
that they will reveal intranet hostnames to outside parties when the
client attempts to resolve an internal hostname through an external
DNS server.
For instance, this restriction can be accomplished in OpenBSD with a
rule like this:
rdr on $INT_IF inet proto { tcp, udp } from $INT_IF:network to any port 53
-> $DNS_SERVER port 53Of course, you''ll need to set
INT_IF to the interface facing your
internal network and set DNS_SERVER to the
IP address of your internal DNS server.
Similarly, if you''re running an internal mail
server, then company email need never cross the Internet. If you have gone to the trouble of setting up
an internal email server, do you really want your employees to be
able to connect to servers outside your network?
You can do this with a similar rule:
rdr on $INT_IF inet proto tcp from $INT_IF
:network to any port 25 -> $SMTP_HOST port 25
Egress filtering can also prevent IP spoofing.
By filtering on your external interface at the border of
your network, you can verify that packets leaving your network have
source addresses that match your address space.
By filtering all other traffic, you can ensure that any IP
spoofing attack performed from your network or routed through it will
be dropped before the packets are able to leave.
